Fortinet Fortimanager CVE-2024–47575

SOCFortress
2 min readOct 24, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Reports have shown this vulnerability to be exploited in the wild.

FortiManager versions:

  • 7.6.0
  • 7.4.0 through 7.4.4
  • 7.2.0 through 7.2.7
  • 7.0.0 through 7.0.12
  • 6.4.0 through 6.4.14
  • 6.2.0 through 6.2.12

FortiManager Cloud versions:

  • 7.4.1 through 7.4.4
  • 7.2.1 through 7.2.7
  • 7.0.1 through 7.0.12
  • 6.4 all versions

Upgrade.

Workarounds

For FortiManager versions 7.0.12 or above, 7.2.5 or above, 7.4.3 or above (but not 7.6.0),

Prevent unknown devices to attempt to register:

config system global
(global)# set fgfm-deny-unknown enable
(global)# end

(Warning: With this setting enabled, be aware that if a FortiGate’s SN is not in the device list, FortiManager will prevent it from connecting to register upon being deployed, even when a model device with PSK is matching.)

Alternatively, for FortiManager versions 7.2.0 and above, you may add local-in policies to whitelist the IP addresses of FortiGates that are allowed to connect.

config system local-in-policy
edit 1
set action accept
set dport 541
set src
next
edit 2
set dport 541
next
end

For 7.2.2 and above, 7.4.0 and above, 7.6.0 and above

It is also possible to use a custom certificate which will mitigate the issue:

config system global
set fgfm-ca-cert
set fgfm-cert-exclusive enable
end

And install that certificate on FortiGates. Only this CA will be valid, this can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel.

For FortiManager versions 6.2, 6.4, and 7.0.11 and below

Upgrade to one of the versions above and apply the above workarounds.

Detections (IoCs).

IP Addresses:

45[.]32[.]41[.]202
104[.]238[.]141[.]143
158[.]247[.]199[.]37
45[.]32[.]63[.]2

Event detection (FortiManager logs):

type=event,subtype=dvm,pri=information,desc="Device,manager,generic,information,log",user="device,...",msg="Unregistered device localhost add succeeded" device="localhost" adom="FortiManager" session_id=0 operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded"
type=event,subtype=dvm,pri=notice,desc="Device,Manager,dvm,log,at,notice,level",user="System",userfrom="",msg="" adom="root" session_id=0 operation="Modify device" performed_on="localhost" changes="Edited device settings (SN FMG-VMTM23017412)"

Security events from FortiManager and stored in OpenSearch (lucene queries):

//Query 1
msg:"Unregistered device localhost add succeeded" AND operation:"Add device"

//Query 2
operation:"Modify device" AND changes:"Edited device settings (SN FMG-VMTM23017412)"

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet